Filename: xxx-port-knocking.txt
Title: Port knocking for bridge scanning resistance
Author: Jacob Appelbaum
Created: 19-April-2009
Status: Draft

            Port knocking for bridge scanning resistance

0.0 Introduction

This document is a collection of ideas relating to improving scanning
resistance for private bridge relays. This is intented to stop opportunistic
network scanning and subsequent discovery of private bridge relays.


0.1 Current Implementation

Currently private bridges are only hidden by their obscurity. If you know
a bridge ip address, the bridge can be detected trivially and added to a block
list.

0.2 Configuring an external port knocking program to control the firewall

It is currently possible for bridge operators to configure a port knocking
daemon that controls access to the incoming OR port. This is currently out of
scope for Tor and Tor configuration. This process requires the firewall to know
the current nodes in the Tor network.

1.0 Suggested changes

Private bridge operators should be able to configure a method of hiding their
relay. Only authorized users should be able to communicate with the private
bridge. This should be done with Tor and if possible without the help of the
firewall. It should be possible for a Tor user to enter a secret key into
Tor or optionally Vidalia on a per bridge basis. This secret key should be
used to authenticate the bridge user to the private bridge.

1.x Issues with low ports and bind() for ORPort

Tor opens low numbered ports during startup and then drops privileges. It is
no longer possible to rebind to those lower ports after they are closed.

1.x Issues with OS level packet filtering

Tor does not know about any OS level packet filtering. Currently there is no
packet filters that understands the Tor network in real time.

1.x Possible partitioning of users by bridge operator

Depending on implementation, it may be possible for bridge operators to
uniquely identify users. This appears to be a general bridge issue when a
bridge operator uniquely deploys bridges per user.

2.0 Implementation ideas

This is a suggested set of methods for port knocking.

2.x Using SPA port knocking

Single Packet Authentication port knocking encodes all required data into a
single UDP packet. Improperly formatted packets may be simply discarded.
Properly formatted packets should be processed and appropriate actions taken.

2.x Using DNS as a transport for SPA

It should be possible for Tor to bind to port 53 at startup and merely drop all
packets that are not valid. UDP does not require a response and invalid packets
will not trigger a response from Tor. With base32 encoding it should be
possible to encode SPA as valid DNS requests. This should allow use of the
public DNS infrastructure for authorization requests if desired.

2.x Ghetto firewalling with opportunistic connection closing

Until a user has authenticated with Tor, Tor only has a UDP listener. This
listener should never send data in response, it should only open an ORPort
when a user has successfully authenticated. After a user has authenticated
with Tor to open an ORPort, only users who have authenticated will be able
to use it. All other users as identified by their ip address will have their
connection closed before any data is sent or received. This should be
accomplished with an access policy. By default, the access policy should block
all access to the ORPort.

2.x Timing and reset of access policies

Access to the ORPort is sensitive. The bridge should remove any exceptions
to its access policy regularly when the ORPort is unused. Valid users should
reauthenticate if they do not use the ORPort within a given time frame.

2.x Additional considerations

There are many. A format of the packet and the crypto involved is a good start.
